playbooks

home / skills / openclaw / openclaw / node-connect

node-connect skill

/skills/node-connect

This skill helps diagnose and fix OpenClaw node connection and pairing issues across local, LAN, Tailnet, and public URL setups.

npx playbooks add skill openclaw/openclaw --skill node-connect

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.5 KB
---
name: node-connect
description: Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps. Use when QR/setup code/manual connect fails, local Wi-Fi works but VPS/tailnet does not, or errors mention pairing required, unauthorized, bootstrap token invalid or expired, gateway.bind, gateway.remote.url, Tailscale, or plugins.entries.device-pair.config.publicUrl.
---

# Node Connect

Goal: find the one real route from node -> gateway, verify OpenClaw is advertising that route, then fix pairing/auth.

## Topology first

Decide which case you are in before proposing fixes:

- same machine / emulator / USB tunnel
- same LAN / local Wi-Fi
- same Tailscale tailnet
- public URL / reverse proxy

Do not mix them.

- Local Wi-Fi problem: do not switch to Tailscale unless remote access is actually needed.
- VPS / remote gateway problem: do not keep debugging `localhost` or LAN IPs.

## If ambiguous, ask first

If the setup is unclear or the failure report is vague, ask short clarifying questions before diagnosing.

Ask for:

- which route they intend: same machine, same LAN, Tailscale tailnet, or public URL
- whether they used QR/setup code or manual host/port
- the exact app text/status/error, quoted exactly if possible
- whether `openclaw devices list` shows a pending pairing request

Do not guess from `can't connect`.

## Canonical checks

Prefer `openclaw qr --json`. It uses the same setup-code payload Android scans.

```bash
openclaw config get gateway.mode
openclaw config get gateway.bind
openclaw config get gateway.tailscale.mode
openclaw config get gateway.remote.url
openclaw config get gateway.auth.mode
openclaw config get gateway.auth.allowTailscale
openclaw config get plugins.entries.device-pair.config.publicUrl
openclaw qr --json
openclaw devices list
openclaw nodes status
```

If this OpenClaw instance is pointed at a remote gateway, also run:

```bash
openclaw qr --remote --json
```

If Tailscale is part of the story:

```bash
tailscale status --json
```

## Read the result, not guesses

`openclaw qr --json` success means:

- `gatewayUrl`: this is the actual endpoint the app should use.
- `urlSource`: this tells you which config path won.

Common good sources:

- `gateway.bind=lan`: same Wi-Fi / LAN only
- `gateway.bind=tailnet`: direct tailnet access
- `gateway.tailscale.mode=serve` or `gateway.tailscale.mode=funnel`: Tailscale route
- `plugins.entries.device-pair.config.publicUrl`: explicit public/reverse-proxy route
- `gateway.remote.url`: remote gateway route

## Root-cause map

If `openclaw qr --json` says `Gateway is only bound to loopback`:

- remote node cannot connect yet
- fix the route, then generate a fresh setup code
- `gateway.bind=auto` is not enough if the effective QR route is still loopback
- same LAN: use `gateway.bind=lan`
- same tailnet: prefer `gateway.tailscale.mode=serve` or use `gateway.bind=tailnet`
- public internet: set a real `plugins.entries.device-pair.config.publicUrl` or `gateway.remote.url`

If `gateway.bind=tailnet set, but no tailnet IP was found`:

- gateway host is not actually on Tailscale

If `qr --remote requires gateway.remote.url`:

- remote-mode config is incomplete

If the app says `pairing required`:

- network route and auth worked
- approve the pending device

```bash
openclaw devices list
openclaw devices approve --latest
```

If the app says `bootstrap token invalid or expired`:

- old setup code
- generate a fresh one and rescan
- do this after any URL/auth fix too

If the app says `unauthorized`:

- wrong token/password, or wrong Tailscale expectation
- for Tailscale Serve, `gateway.auth.allowTailscale` must match the intended flow
- otherwise use explicit token/password

## Fast heuristics

- Same Wi-Fi setup + gateway advertises `127.0.0.1`, `localhost`, or loopback-only config: wrong.
- Remote setup + setup/manual uses private LAN IP: wrong.
- Tailnet setup + gateway advertises LAN IP instead of MagicDNS / tailnet route: wrong.
- Public URL set but QR still advertises something else: inspect `urlSource`; config is not what you think.
- `openclaw devices list` shows pending requests: stop changing network config and approve first.

## Fix style

Reply with one concrete diagnosis and one route.

If there is not enough signal yet, ask for setup + exact app text instead of guessing.

Good:

- `The gateway is still loopback-only, so a node on another network can never reach it. Enable Tailscale Serve, restart the gateway, run openclaw qr again, rescan, then approve the pending device pairing.`

Bad:

- `Maybe LAN, maybe Tailscale, maybe port forwarding, maybe public URL.`

Overview

This skill diagnoses OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps. It guides you to find the real route from node to gateway, verify what OpenClaw is advertising, and fix pairing/auth errors like "pairing required", "unauthorized", or "bootstrap token invalid or expired."

How this skill works

It inspects the effective gateway route by preferring openclaw qr --json and a small set of canonical config checks (gateway.bind, gateway.tailscale.mode, gateway.remote.url, plugins.entries.device-pair.config.publicUrl, gateway.auth.*). It compares expected topology (same machine, same LAN, tailnet, or public URL) to the advertised route, then gives one concrete diagnosis and one clear remediation step. If Tailscale is involved it also checks tailscale status --json and device pairing state with openclaw devices list.

When to use it

  • QR/setup code or manual host/port scan fails
  • App error mentions pairing required, unauthorized, or bootstrap token invalid/expired
  • Local Wi‑Fi connects but remote access via VPS or tailnet fails
  • Errors referencing gateway.bind, gateway.remote.url, Tailscale, or plugins.entries.device-pair.config.publicUrl
  • You see pending device pairing requests but the app still won’t proceed

Best practices

  • Decide topology first: same machine, same LAN, tailnet, or public URL; do not mix them
  • Run openclaw qr --json and read gatewayUrl and urlSource — fix the config path that lost
  • If Tailscale is used, verify tailscale status --json and that gateway.bind or tailscale.mode matches
  • Generate a fresh setup code after any URL/auth change; old bootstrap tokens expire
  • If devices list shows pending pairing, approve it instead of repeatedly changing network settings
  • When unclear, ask for the exact app error text and the openclaw qr --json output before guessing

Example use cases

  • Gateway advertising 127.0.0.1 while node is on another LAN: change gateway.bind to lan and regenerate QR
  • QR shows gateway.bind=tailnet but host has no Tailscale IP: install/enable Tailscale or switch to LAN/public mode
  • App says "bootstrap token expired": create a new openclaw qr --json and rescan immediately
  • App says "pairing required": run openclaw devices list and openclaw devices approve --latest to complete pairing
  • Public reverse proxy configured but QR still points to LAN: inspect urlSource and fix plugins.entries.device-pair.config.publicUrl

FAQ

What should I run first when a node can't connect?

Run openclaw qr --json and check gatewayUrl and urlSource; if remote, also run openclaw qr --remote --json.

The app says "unauthorized" — what now?

Confirm the token/password and gateway.auth.allowTailscale setting match the intended flow; adjust auth or enable explicit token use.

When do I need a fresh setup code?

Any time you change URL or auth configuration, or if the app reports bootstrap token invalid or expired.